Read Release of Information Services: text version

Release of Information Services: More Than Just Copying

A white paper by G. Michael Bellenghi September 2003

© 2003 by the Association of Health Information Outsourcing Services. All rights reserved.

Although some deem it simple photocopying, for healthcare organizations the release of information (ROI) process is characterized by high levels of complexity and risk that must be carefully balanced with the public's need for health information. Key steps in the process include logging, verifying and tracking a request, retrieving patient information from multiple locations in multiple formats, authenticating the requestor, determining the minimum information needed to meet the request, safeguarding sensitive information that could potentially be released in the process, and then and only then reproducing, packaging and mailing the documents with an invoice. These time-intensive steps clearly demonstrate that ROI is far more complex than simply pressing "start" on a copy machine; thus, their appropriate, efficient and cost-effective execution depends on welltrained ROI specialists who know how to protect both the patient's confidentiality and the hospital's liability in information release.


ealth information management (HIM) professionals are guardians of some of the most personal and sensitive information on record anywhere about an individual. Yet every day they are asked to release this information to any one of multiple sources: continuing care providers, insurance companies, government review and regulatory agencies, hospital peer review committees, researchers, employers, the social security administration, attorneys, legal guardians and patients themselves.

Although everyone knows that healthcare has changed dramatically over the last twenty years, few tend to consider the impact of these changes on the medical record, which has become a complex and extensive collection of paper, microfilm, microfiche and electronic files. Those requesting information expect it to be supplied very quickly, at minimal cost. After all, they suggest, it's just a matter of opening a file cabinet, pulling out a folder and making a few copies at the photocopier, right? Nothing could be further from the truth. Anyone working at HIM's front lines today understands that photocopying is only one step in a multi-step process governed by internal organizational policies as well as external state and federal regulations, the latter most recently enhanced with the 2002 passage of the Privacy Rule within the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA). Logging, verifying and tracking a request, retrieving patient information from multiple locations in multiple formats, authenticating the requestor, determining the minimum information needed to meet the request, safeguarding sensitive information that could potentially be released in the process, and then finally reproducing, packaging and mailing the documents with an invoice are timeintensive steps that must be performed by well-trained release of information (ROI) specialists who know how to protect both the patient's confidentiality and the hospital's liability in information release. Multiply these steps by the 20 to 50 requests a suburban community hospital typically receives each day or the hundreds of requests a larger tertiary facility might receive, factor in the need to respond within a very limited timeframe, and it becomes easy to see why nearly 80 percent of healthcare organizations choose to outsource this process.

Release of Information: What Does It Really Take?

AHIOS White Paper, Page 2

Together, the volume of medical information and requests to share it, the intricacy of each medical record and the critical imperative to protect the information it contains make the ROI process as complicated as it is important.

Logging, Tracking and Verifying the Request

The first step in handling an ROI request is to create a log to track ROI activities. Upon request, organizations must be able to give their patients an accounting of who has seen their medical information, when, where and for what purpose. Under HIPAA, patient requests must be fulfilled within 30 days for records kept on site, and within 60 days for records filed off site; some states have even stricter requirements as well as specific turnaround times for other types of requestors. As a result, ROI specialists must track their actions every step of the way, sometimes using advanced software designed for this purpose. Next, the patient must be identified in the hospital's master patient index (MPI). Did he or she actually receive care at the hospital at the time specified? The request must then be verified. Among other elements, HIPAA requires a proper signature and date, identification of the specific information to be released, an expiration date for the authorization, identification of the party who is authorized to receive it and restrictions on redisclosure by that party. Further, who is authorized to represent the patient who is a minor, incompetent, deceased or the child of divorced parents? To make the right decision in accordance with state and federal laws, ROI specialists may need to consult HIM managers or the hospital's legal counsel. At this stage, a percentage of requests will be invalid a figure that has increased with the passage of the Privacy Rule within HIPAA. Invalid requests require the ROI specialist to communicate with the requester to resolve the issue at hand.

Retrieving Patient Information

One of the most time-consuming steps in the ROI process is locating the requested information. In a perfect world, the medical record would be up to date and easily accessible from an electronic database within a few days after the patient's discharge. The reality, however, is quite different. A patient's medical information may consist of reports from many sources stored on different media in different locations. Documents may include the history and physical exam; discharge summary; consultation reports; physicians' orders; progress notes; ancillary reports from radiology, pathology, the laboratory and imaging; operative reports; anesthesia records; nursing notes; care plans; records of specific medical

Release of Information: What Does It Really Take?

AHIOS White Paper, Page 3

treatments such as respiratory care, wound care and so on. The sheer volume and variety of reports presents a paper-chase challenge that ROI specialists tackle using a variety of well-established systems, none of them fool-proof. Factors that affect the information retrieval process include: · Timing: Most ROI requests are received shortly after a patient's hospital encounter, at which point the patient records are likely to be incomplete. Each day, a large HIM department may receive thousands of loose reports that must be identified and properly filed, a never-ending process. In addition, after the patient's discharge the medical record may remain "off the shelf" until it undergoes any one of numerous processes required before filing, such as analysis, transcription and coding. To fulfill an ROI request, ROI specialists must locate missing reports waiting for filing in the HIM department or existing elsewhere in the hospital or provider network where they are part of the normal course of doing business. Filing methods: An organization's filing methods can also present a significant challenge to the retrieval of complete patient information. Folders may be missing, or portions may be "batch filed" by date of service in certain departments or stored off site in warehousing facilities, both of which require HIM staff to travel to multiple locations in search of the information they need. Depending on how efficient the hospital is at

Where Is the Medical Record?

Although many organizations strive to achieve a true unit record for a patient a complete set of information about that patient's care many factors challenge this goal. Think about paper alone, for example. Some facilities store their inpatient and same-day surgery records in a medical records folder and their records for emergency department and outpatient ancillary visits by date of service, a process often referred to as "batch filing." Retrieving information in a facility that batch files is very time consuming. For example, if a patient was admitted as an inpatient on one occasion and then seen in the ER on six different occasions, records may exist in seven different locations. Off-site storage can become an issue as well. Most organizations maintain three to five years' worth of activity in their medical record department. When an organization runs out of storage, it may turn to off-site storage either in a building it owns and operates or in a vendor's. Storage facilities that a healthcare organization owns are typically not climate controlled nor well organized, making record retrieval a grueling task. Records stored with a vendor require an additional retrieval cost and the extra step of calling or faxing to make a request for the information. Problems also occur if a facility stores deficient records with complete records. For example, when a doctor needs to dictate a discharge summary, the patient's unit record is pulled and the deficient record is attached so that the unit record remains complete. However, now the patient's medical record may be traveling throughout the hospital until the physician completes the record. Now factor in the different storage media an organization might use. Ancillary departments (e.g., radiology) may have pieces of the medical record stored in their department information systems. Microfilm storage might require time-consuming scrolling through page after page of documentation. Nonetheless, the ROI specialist must piece the medical record together before fulfilling each request.


Release of Information: What Does It Really Take?

AHIOS White Paper, Page 4

filing its loose reports or how many loose reports it grapples with each day, finding a complete record can be difficult; in the end, executing an ROI request often comes down to finding that one piece of paper that remains unfiled. · Filing errors: Once the ROI specialist finds the record, he or she must determine whether all the pages within the record actually concern the patient in question. Because of filing errors, which occur due to similar patient names, pages stuck together or myriad other reasons, care must be taken to ensure that another patient's privacy is not violated during the ROI process. Therefore, the specialist must individually check and confirm each page of the record belongs to the patient whose information has been requested. Storage media: In addition, patient records may be stored on paper, microfilm, microfiche or electronically in any combination. ROI personnel must know where to look for each component of the medical chart, how to retrieve it and how to make reproductions of data from each of these sources.


All in all, these factors can add up to significant phone work, leg work and detective work before all pieces of the record are retrieved.

Releasing Only Authorized Information

Once the patient's information is assembled, the ROI specialist must authenticate the request by checking the patient's or guardian's signature on the request form against the authorized signature in the medical record. Once again, if the two do not match, the ROI specialist is required to communicate this information to the requestor and determine appropriate action. Armed with an authorized request, the ROI specialist must review the assembled records carefully and then pull out of those records the minimum amount of information required to meet the requestor's need, a point underscored by HIPAA. Training and mature judgment play vital roles in this process. What if the requestor asks for information related to a patient's back surgery? Should the ROI specialist include physical therapy visits made before the surgery or a trip to the ER six months after surgery for severe back pain? In addition, requests are often broad and vague. If requestors ask for copies of an entire medical record, do they really want reports on the patient's childhood tonsillectomy or births of children? The ROI specialist may need to consult requestors, patients themselves, HIM management or legal counsel to determine what is really needed and appropriate especially before reproducing the entire record and possibly invoicing the requestor for hundreds of pages. To help ROI specialists (and others) find their way through what could be hundreds of pages of medical information, most hospitals adopt a chart order, color-code chart

Release of Information: What Does It Really Take?

AHIOS White Paper, Page 5

portions or tab them to facilitate the location of specific information. In clinics, however, this may not be the case. Finally, the ROI specialist must take the time to verify that each page he or she has determined will address the request does in fact belong to the patient in question by checking for the proper name and identification number.

Four Words That Changed a Patient's Life

The ROI specialist truly serves as the last line of defense in protecting sensitive patient information. Patients themselves may be unaware of what their records contain and may unknowingly authorize the release of damaging information. For example, a state employee was injured on the job and taken to a hospital emergency room. In taking the employee's history, the resident inquired about the patient's alcohol use, to which the employee responded that he maybe drank a six-pack of beer over the weekend. In his chart, the resident inaccurately noted "history of binge drinking." The workers' compensation insurer, in order to pay the claim, requested release of the employee's medical information. The employer then determined the man was an employment risk and terminated his employment. Fortunately, most ROI specialists will spot such sensitive material before it is released and will alert the patient.

Safeguarding Sensitive Information

The final step before reproducing or scanning the requested information is perhaps the most time-consuming of all: reviewing each page of the requested information for sensitive personal details that, if released, could damage the patient's employment status, personal relationships, reputation or more.

HIPAA as well as many states specify that the healthcare organization and its associated service vendors can be liable for a breach of confidentiality by releasing sensitive information in a number of categories. Typically, reports on treatment for mental health disorders, drug or alcohol abuse, abuse from a partner, sexual dysfunction and HIV or other sexually transmitted diseases cannot be released without additional authorization from the patient. In addition, the information may be too sensitive to release to the patient, particularly in behavioral health instances. In such cases, the treating clinician may be called upon to make the decision whether to release the information. While the sensitivity of some data is obvious, such as that protected by statute, other data falls into gray areas. Again, the judgment, training and experience of the ROI specialists and their managers are critical factors in protecting the patient. Not surprisingly, then, many follow the rule, "When in doubt, ask," even if calling the patient or seeking legal counsel causes further delay and cost.

Completing and Invoicing the Request

Reproducing the authorized information is always more challenging than feeding paper into a copying machine. The ROI specialist must obtain legible copies from originals that

Release of Information: What Does It Really Take? AHIOS White Paper, Page 6

may be hard to read or larger or smaller than standard paper sizes (e.g., cardiac monitoring charts). Originals may include laboratory mount sheets that cause key pieces of information to be inadvertently concealed. Pages may be of different weights and colors and torn, dog-eared or otherwise folded. All of these situations require special handling with reproduction equipment. Reports may need to be printed from a computer, or printouts may need to be generated from microfilm and microfiche. If color images are required, they must be reproduced on a color copier or through a photo processor. Once assembled, the materials are collated, reviewed again to ensure that they fulfill the request and logged. Then charges are calculated and an invoice generated if the request is billable. Healthcare organizations may charge attorneys, insurers, certain state agencies and Social Security for the cost of record search and retrieval, reproduction and mailing expenses. Under HIPAA, patients may be charged only for the cost of supplies, the labor of copying and postage. Most states have specific regulations about how much, if anything, requestors should pay for the cost of fulfilling their ROI requests and how charges should be determined. Requested information and any accompanying invoice are then packaged up, transported to the mail room and mailed, or emerging scanning technologies allow electronic transmission of the materials. The original medical record components are then carefully and promptly replaced in their proper sequence in the medical record folder and returned to the HIM department. Lost records have serious repercussions for the healthcare institution and patient care, as ROI specialists know only too well. Following up on billable accounts is the final stage in the long process of fulfilling ROI requests. Payment on thousands of invoices, which range from $15 to $50, needs to be collected a daunting task for any organization.


The ROI process is heavily regulated and carries the risk of fines and even jail sentences. Requests need to be fulfilled within a defined period, all releases must be properly authorized, sensitive information must be protected, and all disclosures must be carefully tracked. With the stakes this high, healthcare organizations depend on dedicated ROI specialists who have the training and experience to understand the risks as well as the complexity and who view safeguarding confidential patient information as not just a job but a mission. By outsourcing this labor-intensive yet critical function, healthcare organizations can be assured that they will have such specialists on the job, helping them disseminate information appropriately, efficiently and cost-effectively.

Release of Information: What Does It Really Take?

AHIOS White Paper, Page 7

About G. Michael Bellenghi

As executive vice president of AHIOS, G. Michael Bellenghi works directly with the Association President to administer the Association's business affairs and to coordinate the operations of the Association under the general policy guidelines of the Board of Directors. Mr. Bellenghi has over 30 years of diversified experience working with a broad range of healthcare organizations. He is presently co-owner and director of BF Healthcare, a privately held physician staffing company in Philadelphia, and is a shareholder and director of Home Health Corporation of America, Inc., a privately held, Medicare-certified provider of home care services. Mr. Bellenghi was a founder of and remains a director of the former FYI, Inc., now SOURCECORP, Inc., a national provider of business process outsourcing solutions for the healthcare industry as well as other information-intensive industries. Before this, he was chairman and CEO of Recordex Services, Inc., one of seven founding companies of FYI. Mr. Bellenghi also co-founded and served as managing partner of a management consulting firm that provided a vast array of strategic planning, operating, financial, and business development support to various sectors of the healthcare industry. He began his career in the public accounting profession, where he spent more than 20 years with the firm Deloitte & Touche. A partner in the firm's audit function, he was partner-in-charge of the Philadelphia office's healthcare practice for 10 years. Mr. Bellenghi is a certified public accountant and holds a BS degree in accounting from LaSalle University. He is a member of both the American and the Pennsylvania Institutes of Certified Public Accountants, a former chairman and current member of the board of trustees of The Center for Autistic Children of Philadelphia, and advisor and director on numerous other boards.

About the Association of Health Information Outsourcing Services (AHIOS)

Established in 1996, AHIOS exists to promote, strengthen and enhance the health information management outsourcing industry while ensuring excellence in the handling and dissemination of confidential patientidentifiable information. Its goals are to: · · · · Increase awareness of the value, importance and complexity of the industry's services, particularly ROI services Establish standards of excellence for the industry of health information management outsourcing Pursue fair and equitable treatment of the industry through legislative, regulatory and legal processes Create educational and networking opportunities for members

For further information, please visit

Release of Information: What Does It Really Take?

AHIOS White Paper, Page 8


Release of Information Services:

8 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate


You might also be interested in

fact sheet Admission Criteria Seven Rivers.pmd
First Step Book